HTTP split / CRLF attackHello
There is a application developed in asp/.net that was vulnerable to http split attacks. There was a input parameter sent in GET requests that was used as part of the location reader on the redirect. So, we just inserted a CRLF and we could create fake headers.
They mitigated the problem, but I'm unsure if it's really a good mitigation.
Now, it only prints on the location header until it reach a CR or LF character, so I'm unable to add more headers.
However, if I add two CRLF in sequence I see the next headers are sent and interpreted by the browser as HTML (body contents).
The input also filters &lt;, &gt;, ' and &quot;.
Also, all data that I insert on this field always generate a redirect (302 HTTP code) to another webpage.
Inserting stuff like
foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-
Type:%20text/html%0d%0aContent- Length:%2019%0d%0a%0d%0a&lt;html&gt;test&lt;/html&gt;
Doesn't work, I always get again the redirected page. Probable because this supposed headers are never sent as headers because of the input filter, if I add two CRLF they turn in body contents and appear as text.
XSS could be possible, but unhappily the filters of &lt;, &gt;, ' and &quot; prevent me to exploit it. I could set the utf-7 on header and send encoded contents, but again I can't manipulate the headers.
Any idea if exploitation is possible?http://sla.ckers.org/forum/read.php?4,34598,34598#msg-34598
Tue, 03 Mar 2015 12:50:01 -0600Phorum 5.2.15ahttp://sla.ckers.org/forum/read.php?4,34598,34598#msg-34598HTTP split / CRLF attackhttp://sla.ckers.org/forum/read.php?4,34598,34598#msg-34598
There is a application developed in asp/.net that was vulnerable to http split attacks. There was a input parameter sent in GET requests that was used as part of the location reader on the redirect. So, we just inserted a CRLF and we could create fake headers.

They mitigated the problem, but I'm unsure if it's really a good mitigation.

Now, it only prints on the location header until it reach a CR or LF character, so I'm unable to add more headers.

However, if I add two CRLF in sequence I see the next headers are sent and interpreted by the browser as HTML (body contents).

The input also filters <, >, ' and ".

Also, all data that I insert on this field always generate a redirect (302 HTTP code) to another webpage.

Doesn't work, I always get again the redirected page. Probable because this supposed headers are never sent as headers because of the input filter, if I add two CRLF they turn in body contents and appear as text.

XSS could be possible, but unhappily the filters of <, >, ' and " prevent me to exploit it. I could set the utf-7 on header and send encoded contents, but again I can't manipulate the headers.